Police to take Gemalto to court Postimees

The Police and Border Guard Board (PPA) told a representative of Gemalto AG yesterday that it is pulling out of talks to find a compromise for compensation for damages tied to the ID-card crisis and will file a claim over breach of contract against the company in the coming weeks.

«The PPA has lost confidence in Gemalto as the corporation has failed to demonstrate willingness to cooperate or genuine interest to reach a compromise. The PPA has collected enough information in inspection procedure to show that state agencies did not have knowledge of the security risk on June 15 and enough evidence to overturn Gemalto’s version of events that was published in Postimees. We have no reason to fear a trial, which is why we will be filing our claim as soon as possible,» said PPA Deputy Director Krista Aas.

The deputy director said that a compromise would have made it possible to avoid a time-consuming and expensive trial. «We wanted Gemalto to compensate the state for expenses tied to the ID-card crisis, so we could concentrate on developments in the field and serving people. However, negotiations are no longer possible,» she added.

The PPA will sue Gemalto AG over breach of contract and demand payment of compensation for damages and contractual penalties.

Postimees published an article yesterday where it was said the PPA was informed of the security flaw in June of last year, two months before the agency notified the public.

PPA and Gemalto were until recently negotiating a compromise agreement to end three major disputes. The paper reported that the compromise would have seen Gemalto withdraw its suit against Estonia’s next period ID-card procurement, the PPA withdraw a claim concerning a different minor ID-card flaw and Gemalto compensate Estonia for half of direct expenses associated with the ID-card crisis – around €1.5 million.

Both the State Information System’s Authority (RIA) and Prime Minister Jüri Ratas have previously said that Gemalto failed to notify Estonia of a potential security vulnerability in the ID-card last summer and that the company’s claim the PPA and RIA were notified is false.

Ratas said last November that the contract between Estonia and Gemalto states such notifications need to be in writing and bear digital signatures and that no such notification was sent. He said the information reached Estonia in the first days of September, which is when the public was notified.

The government, RIA and the PPA notified the public that Czech researchers had discovered a security risk in the Estonian ID-card in the early days of September. The state suspended the certificates of 760,000 ID-cards late on November 3.